{"id":7576,"date":"2020-12-16T21:11:42","date_gmt":"2020-12-17T04:11:42","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7576"},"modified":"2023-04-05T12:41:34","modified_gmt":"2023-04-05T19:41:34","slug":"csw-analysis-of-solarwinds-vulnerabilities-weaponization","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/csw-analysis-of-solarwinds-vulnerabilities-weaponization\/","title":{"rendered":"Securin&#8217;s Analysis of SolarWinds: Top Scanners Miss Several Vulnerabilities"},"content":{"rendered":"<blockquote>\n<p style=\"text-align: justify;\"><span style=\"font-size: 20px;\"><strong>The massive breach of the SolarWinds Network Management product has compromised as many as 18,000 organizations outside of the US Government entities, security agencies, and defense entities. We took a closer look at the weaknesses that exist in other SolarWinds&#8217; products and found that top scanners miss most of the vulnerabilities.<\/strong><\/span><\/p>\n<\/blockquote>\n<h2 style=\"text-align: justify;\"><strong>Our Key Findings<\/strong><\/h2>\n<ul>\n<li style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">102 vulnerabilities exist in SolarWinds products, wherein 34 CVEs are weaponized.<\/span><\/span><\/li>\n<li style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">30 CVEs are rated critical; 21 are high.<\/span><\/span><\/li>\n<li style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">85 old vulnerabilities exist in SolarWinds, ranging from 2001 to 2019.<\/span><\/span><\/li>\n<li style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">CWE-79 (Improper Neutralization of Input During Web Page Generation) seems to be the most exploited weakness, with 18 falling in this category.<\/span><\/span><\/li>\n<li style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">The 15 CVEs in the Orion Network Management tool and <a href=\"https:\/\/support.solarwinds.com\/SuccessCenter\/s\/article\/CVE-2019-9546-Orion-Platform-Vulnerability?language=en_US\">CVE-2019-9546<\/a> are the suspected culprits for this breach. \u00a0<\/span><\/span><\/li>\n<li style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">SolarWinds Orion Network Management tool is also responsible for the <a href=\"https:\/\/cybersecurityworks.com\/blog\/cyber-risk\/fireeyes-stolen-pentesting-tools-the-vulnerabilities-they-target.html\" target=\"_blank\" rel=\"noopener\">FireEye breach<\/a> when pentesters&#8217; tools were stolen.\u00a0<\/span><\/span><\/li>\n<\/ul>\n<p><img decoding=\"async\" class=\"aligncenter\" style=\"width: 900px; height: 526px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/blogs\/solar-winds.png\" alt=\"\" \/><\/p>\n<h2 style=\"text-align: justify;\"><strong>The Attack Surface<\/strong><\/h2>\n<p style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">When we analyzed the vulnerabilities and weaponization statistics, we observed the following:<\/span><\/span><\/p>\n<ul>\n<li style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">35% of SolarWinds CVEs are weaponized.<\/span><\/span><\/li>\n<li style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">22 CVEs have RCE\/PE capabilities, making their fixes extremely critical.<\/span><\/span><\/li>\n<li style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">SolarWinds&#8217; products have vulnerabilities existing from 2001 to 2019. The maximum number of vulnerabilities is from 2019, followed by 2020 and 2010.<\/span><\/span><\/li>\n<\/ul>\n<p><img decoding=\"async\" class=\"aligncenter\" style=\"width: 800px; height: 533px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/blogs\/solar-winds-vulnerabilities2001-2020.png\" alt=\"\" \/><\/p>\n<h2 style=\"text-align: justify;\"><strong>\u00a0CWE Analysis<\/strong><\/h2>\n<ul>\n<li style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">CWE-79 and CWE-20 are the most exploited weaknesses in SolarWinds&#8217; products.<\/span><\/span><\/li>\n<\/ul>\n<p><img decoding=\"async\" class=\"aligncenter\" style=\"width: 790px; height: 517px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/blogs\/top-5-cwe-analysis.png\" alt=\"\" \/><\/p>\n<h2 style=\"text-align: justify;\"><strong>Old Vulnerabilities<\/strong><\/h2>\n<p style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">83% of vulnerabilities in SolarWinds are old weaknesses. These vulnerabilities range from 2001 to 2020, presenting two decades of bugs.<\/span><\/span><\/p>\n<ul>\n<li style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">Of these 85 vulnerabilities, 32 are weaponized with known exploits.<\/span><\/span><\/li>\n<li style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">13 CVEs have RCE and PE capabilities.<\/span><\/span><\/li>\n<li style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">23 CVEs are rated critical, 21 are high, and 41 are medium.<\/span><\/span><\/li>\n<\/ul>\n<p><img decoding=\"async\" class=\"aligncenter\" style=\"width: 500px; height: 386px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/blogs\/old-vulnerabilities.png\" alt=\"\" \/><\/p>\n<h2><strong>SolarWinds&#8217; Product Analysis<\/strong><\/h2>\n<p style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">Next, we analyzed the different types of products that have these vulnerabilities and their broad categories:\u00a0<\/span><\/span><\/p>\n<ul style=\"text-align: justify;\">\n<li><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">45 vulnerabilities are associated with file transfer servers specifically used to transfer colossal data, a favorite target of threat actors who can steal and expose sensitive files.<\/span><\/span><\/li>\n<\/ul>\n<ul>\n<li style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">24 CVEs were linked to the IT monitoring tool. These types of tools should not be exposed to the internet as they serve as standalone tools for pointing out critical issues.<\/span><\/span><\/li>\n<\/ul>\n<p><img decoding=\"async\" class=\"aligncenter\" style=\"width: 550px; height: 424px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/blogs\/top-15-products-with-maximum-vulnerabilities(1).png\" alt=\"\" \/><\/p>\n<h2 style=\"text-align: justify;\"><strong>SolarWinds Global Exposure Analysis<\/strong><\/h2>\n<p style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">More than 300,000 customers worldwide, including defense, Fortune 500 companies, government agencies, telecommunication companies, and educational institutions, have been using the SolarWinds Network Monitoring tool.<\/span><\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">Country-wise exposure analysis reveals the following details:<\/span><\/span><\/p>\n<ul>\n<li style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">117 countries use SolarWinds&#8217; products, making this breach extremely critical.<\/span><\/span><\/li>\n<li style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">The US tops the list with a count of 698 internet-facing products; the UK ranks next with 98 products, and India has 56.<\/span><\/span><\/li>\n<\/ul>\n<p><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\"><iframe class=\"airtable-embed\" style=\"background: transparent; border: 1px solid #ccc;\" src=\"https:\/\/airtable.com\/embed\/shrvTBzc9qgk5tTHi?backgroundColor=blue&amp;viewControls=on\" width=\"100%\" height=\"533\" frameborder=\"0\"><\/iframe><\/span><\/span><\/p>\n<h3><span style=\"font-size: 12px;\"><span style=\"font-family: verdana,geneva,sans-serif;\"><strong>Table: Analysis Based on Countries<\/strong><\/span><\/span><\/h3>\n<h2 style=\"text-align: justify;\"><strong>SolarWinds Scanner Coverage Analysis <\/strong><\/h2>\n<p style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">We analyzed the data further by comparing the CVEs with some scanners that could detect SolarWinds&#8217; vulnerabilities.<\/span><\/span><\/p>\n<p><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\"><img decoding=\"async\" class=\"aligncenter\" style=\"width: 550px; height: 424px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/blogs\/scanner-analysis.png\" alt=\"\" \/><\/span><\/span><\/p>\n<ul>\n<li style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">Out of 102 CVEs, the Tenable scanner detected 37 vulnerabilities.<\/span><\/span><\/li>\n<li style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">Qualys was able to find 15 vulnerabilities.<\/span><\/span><\/li>\n<li style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">Nexpose detected a single vulnerability.<\/span><\/span><\/li>\n<\/ul>\n<p style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">Internet chatter is abuzz with the fact that this might be a nation-state attack, a fact that we concur with. There have been no demands for ransom, and the threat actors have been patiently biding their time since the Spring of 2020 to mount their attacks. While much conversation is floating around about the possible APT groups that could have been involved in this attack, our investigation has not revealed any association with ransomware or APT groups.<\/span><\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">What we see today is probably the most serious cyberattack of all times perpetrated by threat actors not motivated by greed. With state secrets compromised, attacks such as these force us to take a step back and see what we can learn from it.<\/span><\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">One of the many lessons from this incident would be that organizations <strong>should and must <\/strong>seriously invest in <strong>vulnerability management and penetration testing <\/strong>and continuously check their attack surface from infrastructure to code.<\/span><\/span><\/p>\n<h2 style=\"text-align: justify;\"><strong>Related Blogs<\/strong><\/h2>\n<p><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\"><a href=\"https:\/\/cybersecurityworks.com\/blog\/vulnerabilities\/vulnerability-analysis-solarwinds-orion-network-management.html\" target=\"_blank\" rel=\"noopener\">SolarWinds Vulnerability Analysis<\/a><br \/>\n<a href=\"https:\/\/cybersecurityworks.com\/blog\/cyber-risk\/fireeyes-stolen-pentesting-tools-the-vulnerabilities-they-target.html\" target=\"_blank\" rel=\"noopener\">FireEye&#8217;s Stolen Pentesting Tools<\/a><\/span><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The massive breach of SolarWinds Network Management product has compromised as many as 18,000 organizations outside of U.S Government entities, security agencies, defense entities. We took a closer look at the weaknesses that exist in other SolarWinds products and found that top scanners miss most of the vulnerabilities.<\/p>\n","protected":false},"author":1,"featured_media":7574,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":""},"categories":[82,138,80,81],"tags":[341,141,338,340,337],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7576"}],"collection":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/comments?post=7576"}],"version-history":[{"count":7,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7576\/revisions"}],"predecessor-version":[{"id":14737,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7576\/revisions\/14737"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media\/7574"}],"wp:attachment":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media?parent=7576"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/categories?post=7576"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/tags?post=7576"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}